For Region, choose the appropriate AWS Region. Do not use the
region selector in the navigation bar (top right corner).

Choose Create key.

Type an alias for the CMK. An alias cannot begin with aws.
Aliases that begin with aws are reserved by Amazon Web Services to represent
AWS-managed CMKs in your account.

An alias is a display name that you can use to identify the CMK. We recommend that
you
choose an alias that indicates the type of data you plan to protect or the application
you
plan to use with the CMK.

(Optional) Type a description for the CMK.

We recommend that you choose a description that explains the type of data you plan
to
protect or the application you plan to use with the CMK.

Choose Next Step.

(Optional) Type a tag key and an optional tag value. To add more than one tag to the
CMK, choose Add tag.

Choose Next Step.

Select which IAM users and roles can administer the CMK.

Note

The AWS account (root user) has full permissions by default. As a result, any
IAM users and roles whose attached policies allow the appropriate permissions can
also
administer the CMK.

(Optional) To prevent the IAM users and roles that you chose in the previous step
from deleting this CMK, clear the box at the bottom of the page for Allow key
administrators to delete this key.

Choose Next Step.

Select which IAM users and roles can use the CMK to encrypt and decrypt data with
the AWS KMS API.

Note

The AWS account (root user) has full permissions by default. As a result, any
IAM users and roles whose attached policies allow the appropriate permissions can
also
use the CMK.

(Optional) You can use the controls at the bottom of the page to specify other AWS
accounts that can use this CMK to encrypt and decrypt data. To do so, choose Add
an External Account and then type the intended AWS account ID. Repeat as
necessary to add more than one external account.

Creating CMKs (API)

This operation has no required parameters. However, if you are creating a key with
no key
material, the Origin parameter is required. You might also want to use the
Policy parameter to specify a key policy. You can change the key policy (PutKeyPolicy) and add optional elements, such
as a description and tags at any time.

The following is an example of a call to the CreateKey operation with no
parameters.

If you do not specify a key policy for your new CMK, the default key policy that CreateKey applies is different from the default key policy that the
console applies when you use it to create a new CMK.

For example, this call to the GetKeyPolicy operation returns the key policy that CreateKey applies. It
gives the AWS account root user access to the CMK and allows it to create AWS Identity
and Access Management (IAM)
policies for the CMK. For detailed information about IAM policies and key policies
for CMKs,
see Authentication and Access Control for AWS KMS